The Purple Team Exercise Framework (PTEF) is the industry standard methodology for designing and executing collaborative security exercises that bring together Cyber Threat Intelligence (CTI), Red Teams, and Blue Teams.
Purple Team Exercises are an efficient method to test, measure, and improve your organization's resilience to real cyber attacks. The framework covers:
- Purple Team Exercises - Ad-hoc collaborative exercises
- Operationalized Purple Team - Continuous virtual team effort
- Dedicated Purple Team - Dedicated staff roles
PTEFv4 is a comprehensive overhaul focused on practitioner usability:
- Quick-Reference One-Pagers - Printable single-page guides for use during exercises
- Improved Documentation - Streamlined navigation, fixed errors, better organization
- Cloud & Identity Coverage - Cloud environments, identity providers, and modern infrastructure scoping
- AI/ML Threat Guidance - MITRE ATLAS, OWASP LLM Top 10, and AI/ML attack surface coverage
- Detection Engineering Expansion - Detection-as-Code, Sigma rules, CI/CD deployment, detection lifecycle
- ATT&CK v18 Alignment - Updated to Detection Strategies + Analytics terminology
- Broadened Tool Ecosystem - SCYTHE, MITRE Caldera, Atomic Red Team, and The C2 Matrix references
- Continuous Purple Teaming - Automated regression testing, BAS integration, validation metrics
- Remote/Hybrid Exercise Guidance - Detailed guidance for remote and hybrid exercise logistics
- Contributor Guidelines - Clear process for community contributions
- PDF Generation - All documentation available in PDF format
Read the Full Framework (PTEFv4) - The complete methodology including:
- Executive Summary & Definitions
- Goals and Objectives
- Industry & Regulatory Frameworks
- Roles and Responsibilities
- Planning Phases
- Cyber Threat Intelligence Process
- Exercise Execution Flow
- Lessons Learned
- Purple Team Maturity Model (PTMM)
- FAQ
Download: PTEFv4.pdf
Printable one-page guides for use during exercises are available in the one-pagers folder:
| Guide | Purpose | |
|---|---|---|
| Exercise Checklist | Pre/during/post exercise checkboxes | |
| Roles Reference | Quick lookup for each role's responsibilities | |
| CTI Process | 7-step CTI flow with key questions | |
| Exercise Day | Flow diagram + Red/Blue coordination | |
| Metrics Guide | What to measure and tracking templates | |
| PTMM Poster | Visual maturity model with levels |
Templates for running Purple Team Exercises are available in the templates folder:
- Purple Team Exercise Template (.docx)
- TTP Mapping Template (.xlsx)
- Emulation Plan Template (.md)
| Version | Description | Links |
|---|---|---|
| v4 (Current) | Practitioner usability overhaul: one-pagers, improved docs, contributor guidelines | Markdown | PDF |
| v3 | Adds Operationalized Purple Teaming and Dedicated Purple Teams | Markdown | PDF |
| v2 | Expanded for third-party providers (consultants, MSSPs) | Markdown | PDF | Slides |
| v1 | Original version for internal enterprise teams | Markdown | PDF |
We welcome contributions! Please see CONTRIBUTING.md for guidelines on how to submit pull requests, report issues, and suggest improvements.
This project is licensed under the MIT License - see the LICENSE file for details.
PTEF was created by SCYTHE and has been used by countless enterprises, consulting companies, and managed service providers worldwide. Thank you to all contributors who have helped make this the industry standard for Purple Team Exercises.
Repository: github.com/scythe-io/purple-team-exercise-framework